SOLVED

Intune remote action compatibility with Defender EDR isolation

Copper Contributor

We're leveraging Intune alongside Defender for Endpoint. One challenge we're running into is that with Defender EDR, when our security team isolates a device, all connectivity to the Intune service is blocked (including for remote device actions like wipe device).

 

Is there something we're missing in our Defender / endpoint security configuration in MEM that would still allow Intune communication to occur in this EDR scenario? (or if not full Intune communication - at least MDM remote action push notifications?). Defender is clearly capable of allowing some traffic through (there's a built-in option in Defender isolation to allow Outlook/Teams traffic only when isolating a device, for instance) - I'm just not seeing any options to not block Intune traffic.

 

There are situations where it's important to maintain the ability for our security team to remote wipe a device - and other EDR solutions that aren't Defender have mechanisms for excluding Intune service IP ranges to still allow remote management functionality.

2 Replies
best response confirmed by kramer314 (Copper Contributor)
Solution

There is no such option.

 

You could use Live Response (isolated devices can still access the Defender service) to access such devices. That's probably also why the option isn't available, as you can run scripts in Live Response sessions (and, as such, don't need to have a connection to MDM).

 

If you allowed communications you could also instruct the user to reset their device. 

Intune remote action is compatible with Defender EDR isolation. Intune is a cloud-based service provided by Microsoft that allows organizations to manage and secure their devices. It offers remote actions that enable administrators to perform various tasks on managed devices, such as deploying software, configuring settings, or initiating scans.

Defender EDR (Endpoint Detection and Response) is a feature of Microsoft Defender Antivirus that provides advanced threat detection and response capabilities on Windows devices. It allows organizations to investigate and respond to security incidents.

When it comes to compatibility between Intune remote action and Defender EDR isolation, both can work together effectively. Defender EDR isolation is a feature that isolates potentially compromised devices from the network to prevent the further spread of threats. It creates a secure environment for investigation and remediation.

If a device managed by Intune is placed in Defender EDR isolation, you can still use Intune remote actions to perform necessary tasks on the device. These actions can include initiating scans, deploying security updates, or even triggering remediation actions. However, it's important to note that the exact actions available may depend on the specific configuration and capabilities of your Intune and Defender EDR environments.

Overall, Intune remote action is compatible with Defender EDR isolation, allowing you to manage and secure your devices even when they are isolated for investigation or remediation purposes.
1 best response

Accepted Solutions
best response confirmed by kramer314 (Copper Contributor)
Solution

There is no such option.

 

You could use Live Response (isolated devices can still access the Defender service) to access such devices. That's probably also why the option isn't available, as you can run scripts in Live Response sessions (and, as such, don't need to have a connection to MDM).

 

If you allowed communications you could also instruct the user to reset their device. 

View solution in original post